Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

I found a file that is some sort of virus that I can't remove

Posted on 2004-04-22
24
Medium Priority
?
178 Views
Last Modified: 2013-12-04
I am dealing with a dll file called ndhygv.dll on a windows xp home edition PC.  I can't remove the dll.

I found it in the registry, delete the key and it puts it back by itself.

I delete it from startup using msconfig and close and don't reboot to get out of msconfig.  Then I run msconfig again and look at startup.  It is there again.  The virus? is putting it back in for me.  In safe mode, I can't delete the file either.

Any ideas.  <removed by modulo>

I would greatly appreciate any assistance.

Tim Chapman
0
Comment
Question by:TimChapman
  • 11
  • 5
  • 3
  • +2
24 Comments
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 2000 total points
ID: 10896292
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896294
TimChapman,
> I delete it from startup using msconfig

Did you mean disable it ?  

go to startup tab in msconfig and disable all applications. reboot the machine and check if it would appear. If it doesnot appear then enable the applications one by one and check which application might cause that ..

#Sun
0
 

Author Comment

by:TimChapman
ID: 10896326
I did go to the startup tab and disable each application other than the norton applications.  I also tried unchecking the button that says Load Startup Items.  I would then exit msconfig without rebooting.  I would then immediately open it again.  The Load Startup Items button would be checked and the item would be checked in the Startup list.  The virus? is doing this itself.  Same when I would remove it from the registry.  It would put itself back.  This is a very difficult problem to solve because Safe mode did not help either.  Same results there.  It loads in safe mode.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896356
TimChapman,
>  I would then exit msconfig without rebooting.  

As I had previously said , after doing that in msconfig reboot the machine and see what happens.

have you used the spyware removal tools and checked for virus ?

Post back doing all these
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896386
TimChapman,

Also try this

First make a backup of your registry

then go to registry and search for that name that you see in that folder in desktop
if you are not familiar with it , delete it

For searching first press ctrl + F. after it reports the first search , press F3 and search again and keep doing until you find all references to it

Post back
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896391
HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;322756
0
 

Author Comment

by:TimChapman
ID: 10896418
After disabling all applications in MSconfig and rebooting, I ran msconfig again.  The entry was still there and the startup items were enabled.  Having disabled them before shutdown, it seems that the virus? is reenabling the startup items.

> in that folder in desktop

What folder are you referring to?
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896435
oh i meant this ndhygv.dll

search for this name in registry and remove it if you are not sure what is it ..
i donot see any reference to this dll in google so you can remove it

msconfig checks these in registry


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

go to registry , check these and remove anything that you are not sure of
0
 

Author Comment

by:TimChapman
ID: 10896488
I removed all entries with ndhygv.dll.  Before I could even close regedit, they were back again.  This is very insidious.   The run and runonce keys, I checked and deleted all I did not recognize, but it did no good as these entries would return by themselves.  There is not point in deleting more entries as the changes won't take effect until I reboot and the dll is run again.  The needs tougher measures and I don't know where to begin.
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896492
Also try doing these

a) remove temporary internet files , cookies and history going to Internet explorer ---> tools ---> Internet options

b) goto start --> run --> %temp%
remove all the files there . DONOT REMOVE THE TEMP FOLDER.just remove the files inside

c) Also do disk cleanup
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896501
TimChapman,

have you tried all the spyware tools and virus yet ? try them and post back..

check your control panel --> add/remove programs of any unknown program. If you have uninstall them

Also use these registry cleaners

jv16 http://download.com.com/3000-2094-10196668.html?tag=lst-0-1 (FREEWARE)
RegCleaner http://www.vtoy.fi/jv16/shtml/regcleaner.shtml
AATools RegClean http://www.glocksoft.com/aatools_registry_cleaner.htm
Registry Medic  http://www.iomatic.com/products/product.asp?ProductID=registrymedic
RegVac  http://regvac.com/fregvac.htm#download
0
 

Author Comment

by:TimChapman
ID: 10896512
I tried deleting temporary internet files.  Some won't delete.

I did not run %temp%.   Please tell me what that should do.  I have never seen that before.

The computer hangs when I try to do a disk cleanup.
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896521
TimChapman,
> I tried deleting temporary internet files.  Some won't delete.

what do you mean by this ?

go to start --> run and typein " %temp% "  (without quotes)
it will open the temporary folder where all temp files are stored in your machine
remove all those files ..


Not sure why diskcleanup would hang your machine.. Wait for sometime when you do diskcleanup as there would be many unwanted files to cleanup

restart the machine after doing all these
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896729
what is the status ?

have you tried all spyware tools , virus scanners etc

remove all those temp files ..

post back
0
 

Author Comment

by:TimChapman
ID: 10896770
I have to wait to do those.  The computer is at a client's location.  He may not want to pay me the hours needed to continue.  I emailed him to ask him to let me have the computer at my site so I can work on it without charging him.  I would like to get to the bottom of this virus (?).  I was very suprised to find nothing about it when I searched google.  Looks like something new.  

I don't understand the Experts Exchange regarding the Accept button.  When I accept a reply, does that mean the sender gets the 500 points?

Thanks for your effort on this.  I will try to see this to completion so the points can be given and so that the problem can be solved and the information shared.

Tim
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10896789
looks like it is a new virus or trojan or spyware

This is how it works

u assign 500 pts or how  much ever you can depending on the question
once u click accept , u will be taken to a page where u need to give the grade.
depending on the grade, the expert wud get pts

say if you give A grade, expert would get 500 * 4 = 2k pts
if B grade , 500 * 3
if C grade , 500 * 2

Hope you understand
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10897331
Cleaning your computer  - and protecting it in the future -  can't be answered with one issue.

As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.

The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.

It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html

BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10897333
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10897531
This is how to find ndhygv.dll and stop it.

1. Start / Run / regedit
2. ENTER
3. CTRL-B
4. ndhygv.dll
5. ENTER
6. If you find it in HKCR/CLSID/{xxxx-xxxx-xxxx}/InprocServer32 then identify all the {yyyy-yyyy-yyyy} in the regkey like HKCR/CLSID/{xxxx-xxxx-xxxx}/Implemented Categories/{yyyy-yyyy-yyyy}
7. If you can find the same {yyyy-yyyy-yyyy} in HKLM/Software/Microsoft/Internet Explorer/ActiveX Compatibility/ then set a kill bit according to:

How to Stop an ActiveX Control from Running in Internet Explorer
http://support.microsoft.com/default.aspx?scid=kb;en-us;240797&sd=tech
0
 
LVL 5

Expert Comment

by:barcelona_blom
ID: 10898214
Tim Chapman

Use this command to unregister the dll file then delete it,
Change the path to wherever the dll resides.

RegSvr.Exe /u \windows\[controlname]       click start then run and enter the command.

Then delete the registry entries for the file.

0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 10911833
regsvr32 /u %systemroot%\system32\ndhygv.dll

ENTER

regsvr32 /u %systemroot%\system\ndhygv.dll

ENTER

good luck
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
OfficeMate Freezes on login or does not load after login credentials are input.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question